1 / 106

Riposte: an Anonymous Messaging System that ' Hides the Metadata'

Riposte: an Anonymous Messaging System that ' Hides the Metadata'. Charles River Crypto Day 20 February 2015. With PKE, we can hide the data…. ?!?. …but does that hide enough?. pk. ( pk , sk ). 0VUIC9zZW5zaXRpdmU. …. Hiding the data is necessary, but not sufficient. ….

stelzer
Download Presentation

Riposte: an Anonymous Messaging System that ' Hides the Metadata'

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Riposte: an Anonymous Messaging System that 'Hides the Metadata' Charles River Crypto Day 20 February 2015

  2. With PKE, we can hide the data… ?!? …but does that hide enough? pk (pk, sk) 0VUIC9zZW5zaXRpdmU

  4. Hiding the data is necessary, but not sufficient … [cf. Ed Felten’s testimony before the HouseJudiciary Committee, 2 Oct 2013]

  5. Focus of this talk Goal: post “anonymously” to a public bulletin board Building block for many problems related to “hiding the metadata”  E-voting  Anonymous surveys  Private messaging, etc.

  6. First Attempt: Tor “Onion”encryption [Dingledine,Mathewson,Syverson 2004]

  7. Passive network adversary can correlate flows! Is this attack realistic? [Murdoch andDanezis 2005] [Bauer et al. 2007]

  8. A well-placed adversary need control few links [Murdoch and Zieliński 2007]

  9. Tor is practical at Internet scale … but its security properties are unclear We design an anonymous messaging system that:1) satisfies clear security goals, 2) handles millions of users in an “anonymous Twitter” system.

  10. Outline • Motivation • Definitions and a “Straw man” scheme • Technical challenges • Evaluation • Conclusions

  11. Outline • Motivation • Definitions and a “Straw man” scheme • Technical challenges • Evaluation • Conclusions

  12. Reframe the Problem ≅ Posting anonymously to a bulletin board Writing “privately” to a database

  13. Goal The “Anonymity Set”

  14. Goal

  15. Goal DB does not learn who wrote which message 0 To: taxfraud@stanford.edu 0 + Protest will be held tomo… See my cat photos at w… 0

  16. (k,t)-Write-Anonymous DB Scheme qi k = (# of servers), t = (# malicious servers) [Gen query to write m into row l of DB] [Apply query to state of server i] [Combine server states to reveal plaintext DB] s s’

  17. Goals • Correctness • Write-anonymity • Disruption resistance

  18. Goal 1: Correctness Informal: Output DB should be result of applying queries to DB state. If queries are: then result of Reveal() is:

  19. Goal 2: Write-Anonymity Informal: coalition of t malicious servers and any number of malicious clients should not learn who wrote what to the DB. I will present the [simplified] two-server definition with one malicious server.

  20. Adversary Challenger Let n = number of clients total For : Choose on elements of H

  21. Adversary Challenger Let n = number of clients total For : Choose perm on elements of H

  22. Adversary Challenger Let n = number of clients total For : Choose perm on elements of H

  23. Adversary Challenger Let n = number of clients total For : Choose perm on elements of H

  24. Adversary Challenger Let n = number of clients total (k,t)-Write-Private Database Scheme For : Choose perm on elements of H Queries in H updated according to permutation π

  25. Adversary Challenger Let n = number of clients total (k,t)-Write-Private Database Scheme For : Choose perm on elements of H Intuition: The scheme hides “who wrote what” (which query corresponds to which message) Adv should not be able to distinguish between real π and random π* Choose perm on elements of H

  26. Goal 3: Disruption Resistance Intuition: each query should change at most one DB row—prevent disruption Informal: An adversary cannot generate N “valid” queries that affect > N rows [We defer the definition a“valid” query for now…]

  27. Privacy-Preserving DB Schemes ORAM[GO’96] / Group ORAM [GOMT’11] • CPU(s) writing to RAM Private Info Retrieval (PIR)[CGKS’97] • Client reading from DB shared across servers Private Info Storage[OS’97] • Client writing to DB shared across servers This work: Many clients (inclmalicious ones) writing to DB shared across servers Ideally: for all k, tolerate compromise of k-1 servers

  28. SX SY (2,1)-Private“Straw man”Scheme[Chaum ‘88] 0 0 0 0 0 0 0 0 0 0

  29. SX SY 0 0 0 0 0 0 0 0 0 0 “Straw man”Scheme

  30. SX SY 0 0 0 0 0 0 0 0 0 0 Write msgmA into DB row 3 “Straw man”Scheme

  31. SX SY 0 0 0 0 0 0 0 0 0 0 0 0 “Straw man”Scheme mA 0 0

  32. SX SY 0 0 0 0 0 0 0 0 0 0 0 r1 0 r2 “Straw man”Scheme mA r3 0 r4 0 r5

  33. SX SY 0 0 0 0 0 0 0 0 0 0 0 r1 -r1 0 r2 -r2 - “Straw man”Scheme = mA r3 mA -r3 0 r4 -r4 0 r5 -r5

  34. SX SY 0 0 0 0 0 0 0 0 0 0 r1 -r1 r2 -r2 “Straw man”Scheme r3 mA -r3 r4 -r4 r5 -r5

  35. SX SY 0 0 -r1 r1 0 0 -r2 r2 0 0 mA -r3 r3 0 0 -r4 r4 0 0 -r5 r5 “Straw man”Scheme

  36. SX SY r1 -r1 r2 -r2 r3 -r3+mA r4 -r4 r5 -r5 “Straw man”Scheme

  37. SX SY r1 -r1 r2 -r2 r3 -r3+mA r4 -r4 r5 -r5 0 0 “Straw man”Scheme 0 0 mB

  38. SX SY r1 -r1 r2 -r2 r3 -r3+mA r4 -r4 r5 -r5 0 s1 -s1 0 s2 -s2 - “Straw man”Scheme = 0 s3 -s3 0 s4 -s4 mB s5 mB-s5

  39. SX SY r1 -r1 r2 -r2 r3 -r3+mA r4 -r4 r5 -r5 s1 -s1 s2 -s2 “Straw man”Scheme s3 -s3 s4 -s4 s5 mB-s5

  40. SX SY r1 -r1 s1 -s1 r2 -r2 s2 -s2 r3 -r3+mA s3 -s3 r4 -r4 s4 -s4 r5 -r5 s5 mB-s5 “Straw man”Scheme

  41. SX SY r1 + s1 -r1 -s1 r2 + s2 -r2-s2 r3 + s3 -r3 -s3 + mA r4 + s4 -r4-s4 r5 + s5 -r5-s5 - mB “Straw man”Scheme

  42. SX SY r1 + s1 -r1 -s1 r2 + s2 -r2-s2 r3 + s3 -r3 -s3 + mA r4 + s4 -r4-s4 r5 + s5 -r5-s5 - mB “Straw man”Scheme

  43. SX SY r1 + s1 -r1 -s1 r2 + s2 -r2-s2 r3 + s3 -r3 -s3 + mA r4 + s4 -r4-s4 r5 + s5 -r5-s5 - mB “Straw man”Scheme

  44. SX SY r1 + s1 -r1 -s1 r2 + s2 -r2-s2 r3 + s3 -r3 -s3 + mA r4 + s4 -r4-s4 r5 + s5 -r5-s5 - mB “Straw man”Scheme

  45. SX SY r1 + s1 -r1 -s1 0 r2 + s2 -r2-s2 0 + = r3 + s3 -r3 -s3 + mA mA r4 + s4 -r4-s4 0 r5 + s5 -r5-s5 - mB mB At the end of the day, servers combine DBs to reveal plaintext “Straw man”Scheme

  46. First-Attempt Scheme: Properties Correctness — By construction Write-Anonymity — Given output vector, servers can simulate their view of the protocol run Practical Efficiency — Almost no “heavy” computation involved

  47. Extensions • Use k > 2 servers • secure againstk-1 evil servers • Use a large-characteristic field •  e.g., email-length rows

  48. Outline • Motivation • Definitions and a “Straw man” scheme • Technical challenges • Evaluation • Conclusions

  49. Limitations of the “Straw man” • O(L) communication cost • Collisions • Malicious clients

  50. Limitations of the “Straw man” • O(L) communication cost • Collisions • Malicious clients

More Related